If you are a Strapi customer or user, employee, applicant, or just visiting our website, this policy applies to you.
If you are a registered customer of Strapi, we act as the ‘data controller’ of personal data about you and your use of Strapi, but as the ‘data processor’ of personal data in the information you put into Strapi (like information about your users, etc.).
From the first moment you interact with Strapi, we are collecting data. Sometimes you provide us with data, and sometimes we collect data about you, either automatically or sometimes from other sources, like publicly available websites or from a trusted data supplier.
Contact details: Your name, address, telephone number, email address...
Financial information: Your credit/debit card details...
Data that identified you: Your IP address, login information, browser type and version, time zone setting, browser plug-in types, geolocation information about where you might be, operating system and version, etc.
Data on how you use Strapi: Your URL clickstreams (the path you take through our site), products/services viewed, page response times, download errors, how long you stay on our pages, what you do on those pages, how often, and other actions…
What about really sensitive data?
We don’t collect any "sensitive data" about you (like racial or ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data, health data, data about your sexual life or orientation, and offenses or alleged offenses) except when we have your specific consent, or when we have to comply with the law.
What about children’s data? Strapi is a business-to-business service directed to and intended for use only by those who are 16 years of age or over. We do not target Strapi at children, and we do not knowingly collect any personal data from any person under 16 years of age.
Data protection law means that we can only use your data for certain reasons and where we have a legal basis for doing so.
Here are the reasons for which we process your data:
Keeping Strapi running: Log in and authentication, processing payments.
Legal Basis for this data usage: Contract + Legitimate Interests
Improving Strapi: Testing features, interacting with feedback platforms and questionnaires, managing landing pages, heat mapping our site, traffic optimization and data analysis and research, including profiling and the use of machine learning and other techniques over your data and in some cases using third parties to do this.
Legal Basis: Contract + Legitimate Interests
Customer Support: Notifying you of any changes to our service, solving issues via live chat support, phone or email, including any bug fixing
Legal Basis: Contract
Newsletter and event invitations (with your consent): Sending you emails and messages about events and new features, products and services, and content.
Legal Basis: Consent
Legal Basis: Contract
Consent: You have given clear consent for you to process your personal data for a specific purpose.
Contract: Processing your data is necessary for a contract you have with us, or because you have asked us to take specific steps before entering into that contract.
Legitimate interests: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not outweighed by your rights and interests. These legitimate interests are:
In each case, these legitimate interests are only valid if they are not outweighed by your rights and interests.
You can change your mind!
If you have previously given consent to our processing your data you can freely withdraw such consent at any time. You can do this by emailing us at privacy@strapi.io.
If you do withdraw your consent, and if we do not have another legal basis for processing your information, then we will stop processing your personal data. If we do have another legal basis for processing your information, then we may continue to do so subject to your legal rights.
YOUR CHOICES
If you choose to do this, you can continue to use the website and browse its pages, but we will not be able to process transactions without personal data.
You can block cookies by activating a setting on your browser allowing you to refuse cookies, or by using the cookie tool on our website. You can also delete cookies through your browser settings. If you turn off cookies, you can continue to use the website and Strapi, but certain services will not work effectively.
We will inform you (before collecting your data) if we intend to use your data for marketing and if third parties are involved. You can opt out from marketing by emailing us at privacy@strapi.io.
YOUR RIGHTS
You can exercise your rights by sending us an email at privacy@strapi.io.
This includes the right to ask us for supplementary information about:
We will provide you with the information within one month of your request, unless doing so would adversely affect the rights and freedoms of other (e.g. another person’s confidentiality or intellectual property rights). We’ll tell you if we can’t meet your request for that reason.
We may use your data to determine whether we should let you know information that might be relevant to you (for example, tailoring emails to you based on your behaviour). Otherwise, the only circumstances in which we will do this is to provide the Strapi service to you.
We will give you a copy of your data in CSV or JSON so that you can provide it to another service. If you ask us and it is technically possible, we will directly transfer the data to the other service for you. We will not do so to the extent that this involves disclosing data about any other individual.
You can do this by asking us to erase any personal data we hold about you, if it is no longer necessary for us to hold the data for purposes of your use of Strapi. This right doesn’t always apply (for example, if we have a contract with you), but we’ll tell you if this is the case when you ask us to erase your data.
Please tell us first, so we have a chance to address your concerns. If we fail in this, you can address any complaint to the supervisory authority for data protection issues in your country of residence.
If you are located in the EEA or the UK and you are a Customer, Site Visitor or Event Attendee, and wish to exercise any of the rights set out above, you may contact us at privacy@strapi.io using the term "DSR" as your email subject line.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights) unless your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request under those circumstances.
If we cannot reasonably verify your identity, we will not be able to comply with your request(s). We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Note that this is especially true when you engage a third party to assist you in exercising your rights.
We will respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated as required by law. In addition, we will always balance your rights against those of other data subjects in connection with any requests, and in some cases this may require us to redact our responses or deny a request.
Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Strapi has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:
We have put in place reasonably appropriate security measures designed to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. We limit access to personal data only to those employees, agents, contractors and the third parties who have a business need-to-know.
We also have procedures in place to deal with any suspected data security breach. If required, we will notify you and any applicable regulator of a suspected data security breach. We also require those parties to whom we transfer your personal information to provide acceptable standards of security.
Notwithstanding, no Internet or email transmission is ever fully secure or error free. In particular, email sent to or from the Solution may not be secure. Therefore, take special care in deciding what information you send to us via email. For any questions about the security of your information, please contact privacy@strapi.io.
And please remember:
Strapi is a United States Delaware corporation with primary storage of your information in the United States and the EEA. To facilitate our global operations, we may process personal information from around the world, including from other countries in which Strapi has operations, employees, or in the data processing facilities operated by the third parties identified below.
If you are accessing or using our Solution or otherwise providing personal information to us, you are agreeing and consenting to the processing of your personal information in the United States and other jurisdictions in which we operate.
If you are a Customer, you are responsible for informing your End Users of how and where their personal data will be processed at the time of collection.
If you’ve been a Strapi customer, we’ll delete your personal data from our systems six years after you stop being a Strapi customer. We keep the information in this time in case there are any legal claims relating to your time as a customer. We’ll delete information that you have in Strapi itself in accordance with the arrangements set out in your contract with us.
If we contacted you about buying Strapi or you requested a demo from us, we’ll delete your personal data from our systems two years after we last contacted you. This stops us from contacting you again too soon if you’re not interested in Strapi right now.
If you’re a member of the Strapi Discord community, we’ll delete your personal data from our systems two years after you leave the Discord community.
Tech businesses often use third parties to help them host their application, communicate with customers, power their emails etc. We partner with third parties who we believe are the best in their field at what they do.
When we do this, sometimes it is necessary for us to share your data with them in order to get these services to work well. Your data is shared only when strictly necessary and according to the safeguards and good practices detailed in this Privacy Policy.
We’ve divided our third-party service providers into 3 types:
These are the third-party service providers who help us to process personal data on your behalf when you are a Strapi customer. You are the controller of this personal data. We use these sub-processors to provide hosting and functionality in the Strapi Solution.
If you add third-party integrations to your Strapi project, we strongly advise you to consult the privacy policy for each of those integrations. Strapi cannot be held responsible for the personal data shared with the providers of these integrations.
These are the third-party service providers who we use to help run our Solution. They process personal data (of which we are the controller) on our behalf.
These are other third-party service providers who we use to help run our business (including this website).
You will find a list here of our current third-party service providers.
We use cookies. Unless you adjust your browser settings to refuse cookies, we (and these third parties) will issue cookies when you interact with Strapi. These may be ‘session’ cookies, meaning they delete themselves when you leave Strapi, or ‘persistent’ cookies which do not delete themselves and help us recognise you when you return so we can provide a tailored service.
How can I block cookies?
You can block cookies by activating a setting on your browser allowing you to refuse the setting of cookies. You can also use our cookie banner to manage your preferences. You can also delete cookies through your browser settings. If you use your browser settings to disable, reject, or block cookies (including essential cookies), certain parts of our website or app will not function fully. In some cases, our website or app may not be accessible at all. Please note that where third parties use cookies we have no control over how those third parties use those cookies.
Which specific cookies do we use?
INSERT embedded script on privacy policy page to list cookies declared by cookiebot
If you have any questions or suggestions regarding this Privacy Policy, please contact us at privacy@strapi.io.
Last update: March 01, 2023